Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove x509 ABCs #11437

Open
7 of 8 tasks
alex opened this issue Aug 15, 2024 · 17 comments
Open
7 of 8 tasks

Remove x509 ABCs #11437

alex opened this issue Aug 15, 2024 · 17 comments

Comments

@alex
Copy link
Member

alex commented Aug 15, 2024

In numerous places we only support the concrete classes, and there's no real use case for people to implement the ABCs themselves.

Therefore, we should just drop the ABCs, and replace them with the concrete base classes.

Tasks

Preview Give feedback
@alex alex added the x509 label Aug 15, 2024
@alex alex added this to the Forty Fourth Release milestone Aug 15, 2024
@TreavVasu
Copy link

Hi @alex
Is this up for taking?

How I plan to implement this:

Taking Certificate class as an example :

Link to class

class Certificate(metaclass=abc.ABCMeta):

Removing (metaclass=abc.ABCMeta) and adding it as new-style class
class Certificate:

Addressing the changes further:

Remove @abc.abstractmethod Decorators

then

Remove @abc.abstractproperty with @property

then
Retain Property Decorators (@Property) Where Needed

I am bit confused on how to Implement methods and properties here should return as here of find the linked function it sounds a bit ddumb I know but I think with little direction I can pull this off.

Let me know if I am missing something or wrong somewhere, I'll try to cover those cases again and revert back
Thanks for reading

@alex
Copy link
Member Author

alex commented Oct 18, 2024

We'd be happy to take contributions for this yes!

In terms of what needs to be done: These classes need to be deleted, and the concrete implementations should be exposed with the same name, and then we have to make sure the mypy types work correctly for them.

(With teh small asterisk that RevokedCertificate is more complicated, and should be saved for last.)

@TreavVasu
Copy link

Thanks @alex
I'll try my best

Sure, I hope you can help me on places where RevokedCertificate gets too complex :)

@alex
Copy link
Member Author

alex commented Oct 18, 2024 via email

@TreavVasu
Copy link

Thanks I was about to ask for this too.
U saved me here XD

Copy link

The removal of Certificate abc broke FreeIPA. We implement our shim on top of the x509.Certificate with additional logic.

@alex
Copy link
Member Author

alex commented Nov 29, 2024 via email

Copy link

@alex
Copy link
Member Author

alex commented Nov 29, 2024 via email

Copy link

Yes, I think so. It is literally because python doesn't see a single flag in the tp_flags that allows to subclass.

@alex
Copy link
Member Author

alex commented Nov 29, 2024 via email

Copy link

@alex does not work yet, although there is a progress:

# python3 test.py
Traceback (most recent call last):
  File "//test.py", line 4, in <module>
    cert = load_der_x509_certificate(bcert)
  File "/usr/lib/python3.13/site-packages/ipalib/x509.py", line 472, in load_der_x509_certificate
    return IPACertificate(
        crypto_x509.load_der_x509_certificate(data, backend=default_backend())
    )
TypeError: No constructor defined for IPACertificate

I built cryptography 43.0 with two additional patches: from the PR that removed abc for Certificate class and then from the PR #12077. Looking through the pyo3 documentation, it appears you need to define new constructor: https://pyo3.rs/v0.23.2/class#constructor

By default, it is not possible to create an instance of a custom class from Python code. To declare a constructor, you need to define a method and annotate it with the #[new] attribute. Only Python's new method can be specified, init is not available.

@alex
Copy link
Member Author

alex commented Dec 1, 2024

So the challenge is that we don't want Certificate to have a constructor -- the only way to construct the concrete Certificate is the various public APIs.

Copy link

I'm looking if we can replace inheritance by simply consuming x509.Certificate. We effectively do that ourselves in almost all places in FreeIPA anyway.

Copy link

I created a PR freeipa/freeipa#7614 that moves FreeIPA to treat x509.Certificate as a resource within our class. There were few changes I needed to add to IPA code to handle that with PyCA prior to 44.0.0 but nothing we cannot sustain going forward.

We are going to run more comprehensive tests this week but I think the change to get inheritance back is not needed. I'll report back once we transitioned.

@alex
Copy link
Member Author

alex commented Dec 2, 2024 via email

@reaperhulk
Copy link
Member

That's great to hear -- thanks for working on this @abbra!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

4 participants